Promoting a Domain Controller over an IPSEC VPN

Posted by Jonesy in Windows 2K3 Server on May 15th, 2006 | no responses

Over the weekend I was involved in Joining a Windows 2003 server in the US to our domain here in Sydney over an IPSEC VPN. Due to MTU limitations imposed by the T1 connection, and the additional overhead of the ipsec encryption, it seemed that machines could join the domain, but when we tried to promote a machine to a Domain Controller, it failed every time.

It seemed to be a packet size issue, due to the low MTU (1410). This article from microsoft describes the problem:

http://support.microsoft.com/?kbid=244474

I’ll quote the section which describes the issue and the fix;

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1.     Start Registry Editor.
2.     Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters

Note If the Parameters key does not exist, create it now.
3.     On the Edit menu, point to New, and then click DWORD Value.
4.     Type MaxPacketSize, and then press ENTER.
5.     Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.     Quit Registry Editor.
7.     Restart your computer.

This was a much better solution than building the DC in Sydney, and then shipping it over!

-Jonesy

No related posts.

Have a computer problem? Ask in our SUPPORT forum!

Receive Discounted Software

No bull. Want cheap discounts for common software products?
  • AntiVirus
  • Video editing tools
  • Web development tools
  • Registry Cleaners
  • Computer speed boosters!
Our editors get these products sent to us WEEKLY for review.

WE WANT TO PASS THESE DISCOUNTS ON TO YOU! (We honestly don't need them)

So whack your email in the box below and when we receive stuff we'll forward it to you! Its that simple.


Leave a Reply